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Abstract 

The cost minimization of Virtual Private Networks 
(VPN) that use the resources of an underlying transport 
network is the key factor for their successful 
implementation [I]. The investigation in this paper is 
focused on network based VPNs', where the operation 
of the VPN is outsourced to an Internet Service Provider 
(ISP). The interest in such solutions is generated both by 
customers seeking to reduce support costs and by ISPs 
seeking new revenue sources. Solving the cost 
minimization would allow Internet Service Providers 
(ISP 's) to define and deploy new VPN services. The 
basic building block of VPN is the tunnel. A tunnel 
operates as an overlay across the backbone, and the 
traffic sent through the tunnel is opaque to the 
underlying backbone. A VPN end point can terminate 
multiple tunnels or forward packets between different 
tunnels. Different tunnels can share the same physical 
link and traffic belonging to the same VPN tunnel can 
be carried along different physical links. The 
multiplexing and management of the VPN tunnels is 
made possible by core routers supporting the VPN of 
the underlying network 

The novelty of the presented work is the network flow 
model of VPN mapping on the underlying ISP network. 
We assume that the VPN topology, the topology of the 
ISP network and the total utilization cost for all 
underlying links are known parameters. Based on this, 
we propose a network management system based on a 
network flow optimization [2] in order to define the 
minimal cost link allocation for the VPN tunnels. We 
provide a simulation of the proposed optimal 
establishment of VPN tunnels and performance 
evaluation of the simulation results. 

Keywords: Virtual Private Networks (VPN), cost 
minimization, optimal network flow, 
tunneling in VPN 
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1. INTRODUCTION 

VPN (Virtual Private Network) is the technology 
accepted by a number of vendors as their private 
networks grow within public network infrastructure. 
The end customers usually wish to access VPN by using 
Dial-up, ISDN, DSL, cable modems or dedicated private 
lines. 

The growing interest in the use of VPNs pushes the 
search for more cost effective means of building and 
deploying private communication networks for multi- 
site communication than with existing approaches. 

Today, there are several VPN approaches for 
building a VPN connectivity. Among the most popular 
cases are the Remote Access, Intranet and Extranet 
VPNs. Remote access VPNs are designed to support 
mobile workforce and telecommuters. End users can 
connect to their corporate Intranets through secure 
tunnels. Intranet VPNs connect business sites together, 
They are also known as Site-To-Site VPNs. Extranet 
VPNs allow business partners connect to the corporate 
site by limited authority. 

Regarding the VPN implementation there are the 
following major approaches: Layer 2 based approach 
such as Frame Relay or ATM based VPN and Layer 3 
based approach as MPLS (Multiple Protocol Label 
Switch) VPN and IP (Internet Protocol) VPN. 
Depending on different application scenarios they all 
have their own advantages and drawbacks. For instance, 
frame relay is inherently considered as secure [6] 
because of the fact that uses layer 2 technology but 
compared to IP VPN it is considerably more expensive. 
On the other hand, MPLS VPN is layer 3 based 
technology and therefore substantially more scalable. 
However, it requires all sites to be tied into the same 
service provider and does not lend itself to remote 
access from remote dialup users. DP VPN is cheaper, 
easy to build and have a clear advantage in remote 
access applications. Whereas, the latency of IP 
connections is being expected to improve. 

In this paper we concentrate our attention on IP 
VPNs because their connectionless nature makes them 
more scalable and easier to build and manage than layer 



2 based VPNs. Meanwhile, IP-VPNs provide the 
benefits of flexibility and simplicity in billing, 
management and provisioning as well as remote access 
beyond the service provider's network [3 J. Regarding 
QoS in VPN, service classifications can be specified by 
policies implementation within the service provider's 
network. 

The novelty of the presented work is the network 
flow model of VPN mapping on the underlying ISP 
network. We assume that the VPN topology, the 
topology of the ISP network and the total utilization cost 
for all underlying links are known parameters. Based on 
this, we propose a network management system based 
on a network flow optimization [2] in order to define the 
minimal cost link allocation for the VPN tunnels. We 
provide a simulation of the proposed optimal 
establishment of VPN tunnels and performance 
evaluation of the simulation results. 

There are three major IP-VPN approaches [1],[3]: 
CPE-based VPN (Customer Premises Equipment VPN), 
CLE-based VPN [3](Customer located equipment 
VPN)[3] and network-based VPN [3], [1]. In CPE VPN. 
tunnels (virtual connections between end users) are 
established only between the CPE devices [5] and the 
service provider's routers are VPN-disabled. CLE VPN 
is based on equipment owned and operated by the 
service provider but located in the customers premises 
[3 J. While for network-based VPNs, the equipment is 
located in the service provider* premises at the edge of 
his network. 

2. DESIGN OBJECTIVE 

There is significant interest in network based VPN 
solutions, both by customers seeking to reduce support 
costs and by ISPs seeking new revenue sources. 
Supporting VPNs requires the use of particular 
mechanisms, which may lead to highly efficient and 
cost effective solutions, where common equipment and 
operations support are amortized across large numbers 
of customers [1], This is the main reason we deal with 
Network based VPNs in this paper. 

Our design objective is to rninimize the cost of 
operation for a service provider supplying network- 
based IP-VPN solutions. In particular, from the tree 
basic types of service, mentioned in section 1 we will 
investigate Intranet VPNs, which enable secure site-to- 
site connection within the customer premises' 
environment 

3. NETWORK MODEL 

We assume that IP-VPN is deployed to connect 
multiple enterprise sites, where each site has access to 
the nearest service provider point of presence (POP). 



Site-to-site traffic is carried between POPs by secure 
links over the Internet or the service provider's 
backbone. A managed backbone network ensuring 
performance and reliability is required for IP-VPN to 
succeed as a WAN alternative technology. The VPN 
end users may choose ISDN, Tl, T3 links etc., in order 
to get connected to the service provider. (See. Fig.l). 

We further assume that we are dealing with small 
and medium business VPN customers establishing 
private tunnels between headquarter and company 
branches. Such topology is known as hub-and-spokes 
topology [3] shown in Fig.l. The bandwidth 
reo^iirements for the VPN end users are given as traffic 
demand matrix and the price factors for the ISP we 
consider leased line cost, maintenance and 
management etc. 

In order to achieve the design objective, we deploy 
the model, known as "multi commodity flow problem" 
(MFC). We consider the bandwidth, reserved over 
physical connections, for a certain VPN virtual 
connection, as commodity. In other words the individual 
commodities share common link capacities. First, we 
will present the MFC formulation and we will deploy it 
for simulation. 

Legend: 

- T3 connection (Max43.23 Mbps with 28 Tl 

OC3 connection (max. 1.544 Mbps with 100 

Tl) 




Figure 1 Transport network and 1 VPNs 
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3.1. Min-Cost Multicommodity Flows 
Formulation 

Given a directed graph G(NA) with n nodes and m 
arcs, and the set K~(I>...,k), a multicommodity flow on 
G is a vector x=[x l ,x 1 ,...,^] of h distinct flow vectors 
J';A-+R n where the index h is used to indicate different 
(commodities. Let x/*y denote the flow of commodity h 
on care (ij) and per unit cost for commodity h on 
arc (ij). Using this notation, we can formulate the 
Minimum cost multicommodity problem (MMFC) as 
follows [2]: 



bandwidth (needs to compute it after solving the 
optimization). According to the notations for MMCF, 
if Jk is the maximum capacity, for a virtual link, and u Jk 
is the maximum capacity of a link between two VPN 
enabled routers (see Fig. 1 ). 

Then wc formulate the routing problem as follows: 



(MMCF) = 



(MMCF) = 



0<;** <.u h y 



2X 



V(i,j)eA 



It requires the route of "commodities" on the G at 
minimal total cost, respecting the node balance 
constraints and individual (or single commodity) 



constraints 0 £ x» £u£ as well as mutual or aggregate 



capacity constraints 



£4 



After the 



formulation of MMCF we will reformulate the problem 
in order to match the network-based VPN design 
objective. 



3.2. VPN Routing and 
Min-Cost Formulation 



Multicommodity 



In order to adjust this formulation to the VPN 
network with near to real parameters formulation we 
make the following assumptions: 

• The network links are bi-directional 

• The VPN is given as demand traffic matrix 

• The capacity of the physical links are limited 
by upper bound 

• The Service Level Agreement between ISP and 
end-customer is the reserved bandwidth for the 
virtual connection 

The cost for the ISP for 1Mbps bandwidth using T3 
links is $667 per month, while the cost for using OC3 is 
$267 per month [7], We further assume in the example 
shown in Fig. 1 that Cy* is the cost per unit bandwidth on 
link ft J) for a virtual channel h t and jf Jk is the reserved 



0<x£ + 



heX 



V(i,j)eA 



In this formulation, equation (1) is the LSP total 
transport cost for operating the network (satisfy VPN 
customer demands). Equation (2) is the flow balance 
equation for every node. Inequalities (3) and (4) are 
related to the bi-directionality of the physical links. 
They carry unidirectional virtual connections VC, but 
over one physical link it is possible to transport VC with 
different directions. The result of solving this 
optimization problem is the flow allocation x*;*. The 
allocation is the optimal routing - the amount of 
bandwidth, allocated for every virtual connection h on 
every physical link (ij). 

4. PERFORMANCE EVALUATION 

The performance evaluation of the proposed novel 
routing algorithm is done by comparing it with QoS 
enabled OSPF routing. We made this choice due to the 
fact that the transport service provider operates in one 
domain. In such case, a widespread solution is to 
implement OSPF routing [9]. 

4,1. OSPF Algorithm overview 

OSPF (Open Shortest Path First) is an industry 
standard protocol developed by the Internet Engineering 
Task Force (IETF). The basis of OSPF is the SPF 
(Shortest Path First) algorithm [8], OSPF can function 
as a link state routing protocol and can also support the 
requirements of larger networks as well as multiple 
network layer protocols. OSPF is referred also as a 
distributed-database protocol. It maintains a topological 
database that stores information related to the state of 
links within an autonomous network and uses this 
information to calculate the shortest path [8], We 



(i) 

(2) 
(3) 
(4) 
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implement this algorithm to compute the paths in the 
simulation network (See Fig. 1). 

4.2. Simulation of VPN Routing using 
Multicommodity MinCost Formulation and 
OSPF 

SIMULATION A 

The simulation is performed using the algebraic 
modeling language OPL and the Optimization tool 
CPLEX 7.0. The optical network shown in Fig. I is 
taken as example. We assume there are two VPNs: VPN 
A and VPN B. VPN A has three nodes; Al and A2 as 
clients and HA as headquarter. The same is valid for 
VPN B. The simulation computes the total transport cost 
for the service provider when satisfying the customer 
demands. It is assumed that when deploying a T3 link, 
the price for 1 Mb bandwidth is $267, while deploying 
an OC3 link the corresponding price is $667 (see Fig. 
1). The routing problem we are faced with is on which 
links to reserve bandwidth in order to satisfy the 
customer's demands. We deploy two routing 
techniques: Open Shortest Path First (OSPF - see 
Section 4.1) and MinCost Mulucommodity Flow 
Optimization (MMCF - see Section 3.2). 

Table 1 : Routing transport costs comparison deploying 
OSPF and MMCF for the network model shown in Fig. 1 



VPN A (Mbps) 


VPN B (Mbps) 


Total Cost fn ($) 


Savings 
Jn%) 


HQ A 


A1 


A2 


HQS 


31 


82 




MMCF 


10 


5 


5 


5 


3 


2 




24956 


10.92 


3 


3 


5 


* 


l 


3 




21353 


2.99 


13 


10 


3 


15 


5 


10 




49109 


10.43 


12 


2 


10 


8 


3 






32695 


9.23 


20 


10 


10 


15 


5 


10 




59385 


10.07 


13 


10 


J 


7 


5 


I 




34165 


11.99 


30 


20 


10 


25 


10 


15 




94750 


8.95 


JO 


15 


15 


15 


5 


10 




75400 


10.29 


20 


IS 


5 


30 


20 


10 


Hi 


86745 


11.53 


J5 


20 


15 


35 


10 


25 




120770 


6.66 


40 


20 


20 


40 


16 


24 




136652 


6.89 


12 


20 




40 


12 


16 




138790 


7.46 


















Average 
8.95 



The VPN customer demands are between 0 and 43 
Mbps, based on the fact that in the model network, the 
majority of the links are T3. The corresponding total 
transport costs are provided, along with the savings 
made when using MMCF. The graphical representation 



of the simulation is given on Fig. 2. We can draw the 
following conclusions: 

• For modest traffic load, the savings are 
relatively small, e.g. for demands: Al=3, 
A2=5, HQ A=8, Bl=l, B2=3, HQ B=4 the 
transport cost savings are 2.99%. 

• The deployment of MMCF is appropriate for 
higher traffic load. 




10 11 12 



-hq A 

-B1__ 



A1 



-HQS 

MCF 



Fig 2: Comparison of routing transport costs with OSPF 
and MMCF for the network model shown in Fig. I 

SIMULATION B: 

We examine different link capacities in order to 
estimate their influence on the performance 
improvement using MMCF. The difference between the 
network shown on Fig 1 and Fig 2 is that the link 
between nodes 8 and 9 is now T3 instead OC3. 




Fig. 3: Another network model. (Simulation B) 

We perform the simulation using the same 
assumptions as in simulation A: we compare the total 
transport cost for satisfying customer bandwidth 
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demands for two VPNs using the OSPF and MMCF 
routing algorithms. The corresponding results are shown 
inTable2andinFig.3: 

Table 2: Routing transport costs comparison deploying 
OSPF and MMCF for the network model shown in Fig.3 



VPNA(Mbps) 


VPNB(Mbps) 


Total Cost In (S) 


Savings 
0n%) 


HQ A 


A1 


A2 


HQB 


B1 


B2 




MMCF 


10 


5 


5 


5 


3 


2 




26020 


7.12 


s 


3 


5 


« 


1 


3 




20416 


7.25 


13 


10 


3 


15 


5 


10 




51104 


6.79 


12 


2 


10 


8 


3 


5 




33360 


7.38 


20 


10 


10 


15 


5 


10 




61380 


7.04 


13 


10 


3 


7 


5 


2 




36160 


6.85 


30 


20 


10 


25 


10 


15 




98740 


5.11 


30 


15 


15 


15 


5 


10 




70060 


16.63 


20 


15 


5 


30 


20 


10 




91400 


6.78 


35 


20 


15 


35 


10 


25 




124760 


3.60 


40 


20 


20 


40 


16 


24 


s 


141440 


3.63 


42 


20 


22 


40 


22 


18 




144376 


3.72 


















Average 
6.83 



The results seem similar to those of simulation A. It 
can be seen that the savings are lower than those of 
simulation A: here the average operating saving is 
6.83% compared to 8.95% we encountered in the 
previous simulation. 



Coat of Routing OSPF vs. MMCF 




Fig 4: Comparison of routing transport costs with OSPF 
and MMCF for the network model shown in Fig.3 

The results from Fig. 3 confirm our earlier 
conclusion. We can expect significant savings when 



VPNs apply higher traffic loading levels to the 
underplaying ISP network. 

SIMULATION C 

In order to find the worst case MMCF performance, 
where the total transport cost of MinCost 
Multicommodity Flow Routing is equal to OSPF routing 
transport cost, we take into consideration the network 
topology depicted in Fig. 4. 




Fig. 5: Network model for Simulation C. 

The difference with the other topologies, shown in 
Fig.l and Fig.3, is that the presented topology is 
"symmetric**. While in Fig. 1 we can identify linear high- 
speed OC-3 backbone, in Fig. 5 the backbone is not as 
"asymmetric'* as in Fig. 1 and in Fig 3. The simulations, 
performed for this model are identical as the simulations 
for A and B: we compare the total cost savings of 
MMCF routing compared to OSPF routing. The results 
are listed in Table 3: 

Table 3: Routing transport costs comparison deploying 
OSPF and MMCF for the network model shown in Fig.5 



VPNA(Mbps) 


VPNB(Mbps) 


Total Cost in ($) 


Savings 
<!»%) 


HQ A 


A1 


A2 


HQB 


SI 


82 




MMCF 


10 


5 


5 


5 


3 


2 




24015 


C 


8 


3 


$ 


4 


I 


3 




19212 


0 


13 


10 


3 


15 


5 


10 




44*28 


G 


12 


2 


10 


8 


3 


5 




32020 


0 


20 


10 


10 


15 


5 


10 




56035 | 


C 


13 


10 


3 


7 


5 


2 


Mr 


32020 


c 


30 


20 


10 


25 


10 


15 




88055 


0 


30 


15 


15 


15 


5 


10 




72045 


c 


20 


15 


5 


30 


20 


10 


'mm* 


80050 


c 


35 


20 


15 


35 


10 


25 




112070 


c 


40 


20 


20 


40 


16 


24 




128080 


0 


42 


20 


22 


40 


22 


18 




131282 


c 


















Average 

C 
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We notice from the simulation that for the network 
from Fig. 5 the transport costs saving overall are equal 
to zero. In this case MMCF shows the same 
performance as OSPF. The reason for this is the 
symmetric structure of the network - if we take a closer 
look on Fig. 5 we notice that here the shortest paths (in 
hops) are the cheapest (with regard to total cost) paths. 
This is the '"worst case" scenario for MMCF 
deployment 

5. CONCLUSIONS 

We have proposed a Multicornrnodity Flow 
Optimization algorithm (MMFQ for resource allocation 
in network based IP virtual private networks. It is 
deployed by mapping the VPN topology on the 
underlying ISP network, casting it as a network flow 
model. Our design objective is to minimize the cost of 
operation for a service provider supplying network- 
based IP- VPN solutions. The novelty in this work is the 
total cost formulation as a part of the routing metrics 
and the influence of the network topology on the routing 
performance improvement. We assume that the Service 
Level Agreement between transport service providers 
and VPN customers guarantees the reserved bandwidth 
for the virtual connection. We compare the proposed 
MMFC routing with the widespread OSPF routing. We 
come to the following conclusions: 

• The MMFC routing proves itself as cost- 
effective routing solution when the VPNs are 
placing high traffic volumes on the underlying 
transport network 

• An "asymmetric" backbone transport network 
with regards to the backboned topology and 
link speeds and prices is more appropriate for 
deploying MMFC routing. 

• For a "symmetric'* backbone transport network 
(e.g. ring) the MMFC routing is comparable or 
equal to OSPF routing. 

Based on the fact that the ISP networks are getting 
more and more "meshed" and taking into consideration 
the highly competitive business environment the service 
providers are operating presently, we conclude that the 
proposed MMFC routing is a useful cost saving 
approach for VPN management and provisioning. 
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